Summary:
In March 2025, senior leaders of the World Uyghur Congress (WUC)—a group made up of Uyghurs living outside of China who speak out about the treatment of Uyghurs—were targeted in a cyberattack. The attackers used a fake version of a real Uyghur-language word processing app to trick people into downloading malware (bad software). This malware allowed the attackers to spy on people’s computers.

The fake app was sent through a phishing email that looked like it came from a trusted contact. Inside the email was a link to download the infected file. Once opened, the malware silently gathered information from the computer and could let someone control the system from far away, install more malware, or steal files.

Even though the malware itself wasn’t high-tech, the attack was very cleverly designed for this specific community. It was especially dangerous because the software looked like it was made by a developer whom the Uyghur community already trusted.

It is not the first time that this has happened. The Chinese government (or agents working for them) have tried many times before to track down and silence Uyghurs abroad. They do it online with spyware, fake apps, and phishing, but also by threatening and intimidating one's families still in China.

This type of cyberattack is one aspect of a larger phenomenon known as digital transnational repression, where governments use online methods to harass or surveil citizens who live abroad. In this case, the goal was to scare Uyghurs from demonstrating and compile personal data that they would be held against or that would be used against their families.

The malware communicated with unknown-looking websites with Uyghur words and phrases in the titles of them—like "tengri" and "anar"—to gather less suspicion. The imitation sites and emails were made to look legitimate intentionally.

Other versions of the same malware were discovered on the internet by researchers, so it wasn't the only one. It could be a broader campaign targeting different groups of Uyghurs overseas.

Security Officer Comments:
This incident isn't just about a cyberattack; it's a calculated move targeting a vulnerable community. The malware wasn't merely a generic threat—it was embedded in a trusted Uyghur language tool, turning a symbol of cultural preservation into a weapon against the very people it was meant to help.

Key aspects of the malware:

• Delivery Method: The attackers used spearphishing emails, impersonating a partner organization, to distribute a trojanized version of UyghurEditPP, an open-source text editor trusted by the Uyghur community.
• Functionality: Once executed, the malware collected system information—such as machine name, username, IP address, and operating system version—and sent it to command-and-control servers. It also had the capability to download additional malicious plugins, allowing for extended surveillance and control.
• Command-and-Control Infrastructure: The malware communicated with servers using culturally significant domain names like tengri[.]ooguy[.]com and anar[.]gleeze[.]com, making the malicious activity less conspicuous to the targeted users.
• Trust Exploitation: By compromising a legitimate tool developed by a known and trusted member of the Uyghur community, the attackers not only breached security but also eroded trust in essential digital resources.

This campaign underscores a broader strategy of digital transnational repression, where authoritarian regimes extend their reach beyond borders to surveil and intimidate diaspora communities. The use of culturally significant tools as attack vectors is particularly insidious, as it undermines efforts to preserve and promote marginalized languages and cultures.

Suggested Corrections:
To remain secure from such attacks, one should not download applications from unfamiliar links and use only reputable sources such as official sites or authenticated GitHub pages. Always look for indicators of authenticity, such as authenticated publishers and secure website URLs. Be wary of emails that are urgent or unexpected, even if they appear to be from reputable contacts. Governments of host countries should provide support and data to vulnerable communities, while technology companies must upgrade warning systems and collaborate with civil society to prevent digital repression.

Source
https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/